Sudin Apte's Blog

I don’t know why, but a financial wrongdoing at an offshore vendor makes big news in the Western world. We saw that happen in instances such as the theft at HSBC’s captive center in Bangalore and the stealing of Citibank’s client account information at Citi’s supplier Mphasis (now part of HP/EDS). The recently reported financial fraud of $4 million at Wipro is the next one that’s making rounds. Frankly, I was surprised when many IT services buyers asked Forrester about this incident and its impact. Here is a snapshot of the story:

What happened at Wipro?

An employee in Wipro’s internal finance department (more specifically someone looking after internal financial controls) got access to Wipro’s bank account password and misused it to transfer out approximately $4 million in small parts over an extended period to relatives’ personal accounts. Wipro did not realize this and the employee continued to steal the money for as long as — according to some members of the Indian media — three years. Finally sometime in December the company got an overdraft note from the bank which did not tally with the bank book showing a positive balance. This triggered an internal investigation and the culprit was quickly discovered. With help of agencies Wipro could recover half of the theft, minimizing losses to $2 million. Wipro took several steps to audit its financial processes to find any loopholes. It also used an external audit agency to vouch that internal controls are sufficient, and as a precautionary measure Wipro made large scale changes (job rotations, internal transfers) to its finance department staff.

Is it a serious issue?

From client questions and the number of companies asking about this, one thing is clear — several Wipro clients are concerned about the event. They told us that all these years Wipro was proud about its process integrity as well as the ethics and value system of its employees. That image, to some extent, is tarnished by this instance, especially as it went on unnoticed for a long period. Against the backdrop of the Satyam saga, we find many stories — some true and some exaggerated — making rounds. But frankly this incident is quite different than earlier instances (and not even worth taking in same breath with the fraud by Satyam’s promoters) that I mentioned above because of the following reasons:

It’s not unusual to have such financial theft in any part of world

It happened purely in Wipro’s internal finance function and does not impact any client data or money. It has no reason whatsoever to impact client delivery or client service levels.

There is no earlier track record (to the best of my knowledge) of such frauds at Wipro which would be interpreted that Wipro works on a porous system. Rather, Wipro took — although late — a quick series of steps to plug the gap and re-designed system with now routinely rotating people and increased control points.

A loss of two millions is not insignificant, but Wipro surely can absorb it without hampering its financials.

What does it mean?

We don’t believe this incident will impact Wipro or its clients in anyway. But at some level, it’s a gentle reminder of the importance of IT security and that evaluating your vendor’s security standards is a must. Don’t be complacent just because everything has been nice and fine with your provider in the past.

P.S. — I am in the last phase of writing a report on “How Safe Are Offshore Providers?” Recently the Data Security Council of India (DSCI — a Nasscom initiative) did a countrywide survey of the state of IT security in the industry. At almost the same time, the Indian government passed a law making security audits mandatory. Look out for my upcoming report on this subject.

Comments

The company insists on an FIR even if a laptop is lost. It is surprising that the company has not raised an FIR on this - plus it is a sign on their gap on corporate governance. Is Wipro worried about more skeletons in its closet? There is a rumour that this CA was mysteriously found dead near a rilway track in Bangalore. So far there is no proof to substantiate what Wipro says is true. Why dont they let the government authorities (such as police) verify facts?

Forrester is an independent IT research company and as an analyst serving sourcing and vendor management professionals, my objective is to help these professionals to assess how the developments offshore will impact their vendors and service delivery. Based on our initial assessment, we had posted this blog to express our views on whether this incident will impact Wipro and its service delivery to its clients. While Forrester doesn’t comment on legal matters, we will continue researching ongoing developments – especially pertaining to the firm’s reputation, governance practices, impact on its business. If these factors have any impact on services delivery or should new information emerge that impacts these factors, we will put forward those facts to enable sourcing professionals to make the right decisions or take corrective steps.

I would suggest that this is more of a process and control issue rather than IT security. No amount of IT security systems and devices can help if, as in this case, a person steals a colleague's password and misuses it for illegal/unauthorized access. I think the bigger lapse was that this individual managed to siphon off $4 million "masquerading" as a legitimate user and the company did not detect this happening. No company in the world authorizes any legitimate user to withdraw company funds. In all likelihood, these withdrawals happened over a period of time and must have been masked by appearing to be legitimate transactions. However, the core point is that IT security is probably not the area Wipro will get maximum benefit from in investigating this case. Perhaps activity logs, transaction logs or other similar audit entries need to be tracked and analyzed on a regular basis.

Perhaps one area where IT security could help is if Wipro implemented multi-factor authentication for systems that enable these types of transactions to happen. In which case, simply possessing a user's computer password does not enable access to the internals of these application systems.

A couple of Questions.
1. Can a payment be made to an a/c that does not exist ?
2. I guess an a/c should exist and a/c creation (for suppliers etc ) would go through an approval process.
3. Payments to accounts would normally be reconciled against purchase orders and receipt of goods or services.

I am not from an accounting background and am just assuming a typical workflow and how it could have been subverted. Any thoughts ?

There are many miseries in Wipro processes e.g code of ethics written for employees is purely for business gains. But there is no system in place to unethical business practices at national or international level. There are many unnoticeable activities which are of unethical nature like realizing full value from the client by deploying college interns in the projects. Setting SEZs next to the STPI buildings to evade taxes. Manipulating the stock prices by way of creating panic among ESOP holders (see the volume of shares traded during Apr'09 to Jun'09) to buy back shares at rock bottom price.

Most of the higher management are coming from finance back ground and they go to any extent to meet their numbers. Classic example is showing better financial results by firing employees (Wipro has to come clean on the 17000 forced exits it managed during 2008 and 2009).

Ultimately, one cannot protect itself against employees who actively go against corporate policies and guidelines. This story is not unique for Indian providers or IT service providers in general.
In a similar case in the IT-industry, the Dutch service provider ICT announced a drop in annual profit for 2008 as a result of internal fraud. This fraud (around 2 million Euro) was also committed by one individual employee. He managed to change payment transactions that were already scrutinized by internal control. More control does not make all risks disappear magically .